none
Issue deploying new certificates

    Question

  • So to start off, we are in the process of deploying 802.1x. It is going very well, but here is my issue now:

    We started with two group policies, one to get the autoenroll working, and one for the 802.1x settings working. We made a user group to add these computers in. I linked the two GPO's to this user group, so that every computer I put in that group will receive a certificate for 802.1x, and get the settings configured correctly.

    Now, we added computers on a per machine basis. I've done around 300 now. We are wanting to add computers at an OU level, so I made a new GPO combines the old two GPO's into one. I have tested this GPO and it is working well.

    My problem is when I add an OU to the new GPO, but they have a certificate from the old GPO's, when will they get the new certificate? Should it get a second certificate issued, even though they are the same certificate and will just have different dates?

    So far it appears that the valid certificate from the old GPO's does not delete and the computer will not receive a new certificate while it has the old one in place.

    Friday, March 20, 2015 11:28 AM

All replies

  • Hi,

    >>I linked the two GPO's to this user group, so that every computer I put in that group will receive a certificate for 802.1x, and get the settings configured correctly.

    A GPO can't be linked to a group. A GPO can be linked to Site, Domain, and OU. Usually, GPOs are linked to Domain and OU. Besides, for users and computers to apply the settings in a GPO, the users or the computers but not the groups they belong to must reside in the scope (Site, Domain, OU) the GPO is linked to.

    Moreover, we can run cmd gpresult/h report.html to collect group policy result report to check how group policy settings get applied. Note, to collect computer part settings, we need to run the command with administrative privileges.

    In addition, for certificate questions, in order to get better help, we can ask for suggestions in the following forum.

    Security

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Monday, March 23, 2015 7:07 AM
    Moderator
  • The old group policy I have is linked to the entire domain, but I have the group of computers added to the security filtering option in group policy management console, so it will only apply to these computers.
    Monday, March 23, 2015 12:50 PM